For a long time, I have been arguing that the national security agencies should apply the data protection principles to their processing of personal data subject, if necessary, to exemptions from subject access and fair processing requirements. Today’s report from the Joint Committee on the Draft Investigatory Powers Bill (DIP) supports that position.
In summary, if the criminal intelligence processed by the police relating to serious crime can be subject to most data protection requirements without mishap (since the 1984 Act), then so can the intelligence held by the national security agencies. It follows that these agencies do not need the comprehensive exemption in Section 28 of the Data Protection Act; all they need is an exemption that is more targeted (e.g. similar to that available to the Police in Section 29 which is based on a test of “prejudice” and “necessity”).
The two Parliamentary Reports on the Government’s Draft Investigatory Powers Bill published this week recommend that general data protection/privacy requirements are integral to maintaining public trust in the post Snowden era. Both raise concerns that the protection of privacy is inadequate.
Intelligence and Security Committee (ISC) Report
The first report published earlier this week is from the Intelligence and Security Committee which has Parliamentary oversight of the national security agencies; it states that the Government has drafted legislation that is back to front.
The Report recommends that a revised DIP Bill should specify the primacy of individual privacy before carving out national security exemptions from these privacy obligations.
Instead the Committee concludes that the draft DIP Bill has identified the requirements of the national security agencies first, before considering what privacy protection should be attached to each operational requirement.
This back to front approach to privacy requirements can be seen from the following quotes from the ISC Report (some of which are quite damning of the Government’s imbalanced approach to the subject):
- “It is the view of this Committee that privacy protections should form the backbone of the draft legislation, around which the exceptional powers are then built”.
- “Privacy considerations must form an integral part of the legislation, not merely an add-on.”
- “It is surprising that the protection of people’s privacy – which is enshrined in other legislation – does not feature more prominently”.
- “Overall, the privacy protections are inconsistent and in our view need strengthening.”
- “One might have expected an overarching statement at the forefront of the legislation, or to find universal privacy protections applied consistently throughout the draft Bill. However, instead, the reader has to search and analyse each investigatory power individually to understand the privacy protections which may apply”.
- “The Committee considers that the acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation” (i.e the proposal that the national security agencies to get a host of Bulk Personal Datasets in one warrant swoop should be removed).
- “The new legislation should include a single additional Part that addresses privacy safeguards and clearly sets out universal privacy protections which apply across the full range of investigatory powers”.
Note that applying the Data Protection Act to the national security function, subject to a suitable exemption does all what the ISC want. At the moment, the section 28 exemption can exclude all of the Principles, rights and enforcement powers.
The Joint Committee Report
The second report (published today) is from the Joint Committee on the Draft Investigatory Powers Bill; members of the Committee are drawn from both Houses of Parliament.
Here the Committee agreed with specific data protection concerns I raised in my written evidence with respect to Bulk Personal Datasets (BPDs). Namely: the absence of data protection requirements, the lack of safeguards from misuse of powers, and the lack of detail with respect to why invasive powers were needed.
In further detail, the Joint Committee’s recommendations with respect to BPDs are:
- “We urge the Investigatory Powers Commissioner to scrutinise the automated analysis of bulk datasets conducted by the security and intelligence agencies to ensure that they are conducted appropriately and proportionately and with regard to privacy and data protection requirements”. (I argued that the Commissioner should consider these data protection issues when a national security agency applied for a bulk personal dataset warrant).
- “We recommend that the Home Office should produce its case for bulk personal datasets (BPDs) when the Bill is published”. (I argued that the case was not made).
- “We recommend that the Government should publish a fuller justification for each of the bulk powers alongside the Bill.” (I argued that the case had not been made).
- “The safeguards for BPDs are not sufficiently explained in the Bill.” (I said there was no explanation at all!).
- “We further recommend that the examples of the value of the bulk powers provided should be assessed by an independent body, such as the Intelligence and Security Committee or the Interception of Communications Commissioner” (I said the Commissioner should establish Key Performance Indicators to assess whether each exercise of BPD obtaining powers had worked in practice).
- “While the Committee acknowledges the case made by the Home Office for not providing detailed information as to the contents of bulk personal datasets (BPDs), the lack of that detail makes it hard for Parliament to give the power sufficient scrutiny. (I said that scrutiny was impossible if no detail is provided!).
- “We also agree that existing powers for acquiring BPDs should be consolidated in this Bill and that any other powers for the security and intelligence agencies to acquire BPDs should be repealed”. (Blob-on! No more powers such as “Section 94 of Telecommunications Act 1984” lurking around for decades; see references for a shocking history lesson!).
- “We believe that a draft Code of Practice on BPDs should be published when the Bill is introduced to provide greater clarity on the handling of BPDs, not least in relation to the provisions of the Data Protection Act 1998. To the greatest extent possible, the safeguards that appear in the Data Protection Act 1988 should also apply to personal data held by the security and intelligence agencies”.
The last recommendation is immensely satisfying; for the first time compliance by the national security agencies with the Data Protection Act is on the Parliamentary Agenda. My previous blogs (see references) will guide the reader as to why this step is essential.
The Committee did not follow me all the way with respect to the role of the Investigatory Powers Commissioner, but I am satisfied that a first step down the a very long path has been taken. At the very least a public debate about data protection and national security can commence.
I am holding half day DP Regulation Workshops in London on March 2nd
We also have a BCS DP Practitioner Qualification (starting in London on April 12 and in Edinburgh on April 25). BCS DP Foundation Certificate (starting in London on March 15-17). The day long PIA and Audit Courses are held on Feb 29 and March in London. Details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com.
- Intelligence and Security Committee of Parliament Report on the Draft Investigatory Powers Bill (HC 795). Link dated 9 February 2016): on http://isc.independent.gov.uk/
- Report of the Joint Committee on the Draft Investigatory Powers Bill; HL Paper 93 and HC 651 (February 2016) http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-investigatory-powers-bill/news-parliament-2015/report-published/
- My evidence to the Committee http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/25924.html
Blogs relating to Data Protection and the National Security function:
- Section 94 of the Telecommunications Act 1984: a warning from history: http://amberhawk.typepad.com/amberhawk/2015/11/section-94-of-the-telecommunications-act-1984-a-warning-from-history.html
- Draft Investigatory Powers Bill ignores data protection when collecting bulk personal datasets; http://amberhawk.typepad.com/amberhawk/2016/01/draft-investigatory-powers-bill-ignores-data-protection-when-collecting-bulk-personal-datasets.html
- Unfettered bulk data collection powers presage mass surveillance and a debate about haystacks; http://amberhawk.typepad.com/amberhawk/2015/11/unfettered-bulk-data-collection-powers-presage-mass-surveillance-and-a-debate-about-haystacks.html
- National security agencies should be subject to Data Protection law; http://amberhawk.typepad.com/amberhawk/2014/10/national-security-agencies-should-be-subject-to-data-protection-law.html
- Intelligence and Security Committee ignore the Data Protection Principles in its attempt to restore public trust in bulk data collection; http://amberhawk.typepad.com/amberhawk/2015/03/intelligence-and-security-committee-ignore-the-data-protection-principles-in-its-attempt-to-restore-public-trust-in-bulk-data.html
- Should national security certificates exclude the Data Protection Principles? http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html